Three methods
Generally, there are three different methods that will enable devices on your network to be protected by Pi-hole.
1. Define Pi-hole's IP address as the only DNS entry in the router
Rationale
Only is italicized here for a reason: Pi-hole needs to be the only DNS server because it intercepts queries and decides whether or not they should be blocked. If you have other DNS servers configured, you may be sent to the correct domain, bypassing Pi-hole completely.
Because of this, we recommend this method (or method 2) as all your devices can be protected and you only need to change one setting. For many home users, their router settings pages will look similar.
This method may not be possible to enable on some routers depending on the feature set exposed to the firmware; if you are running an advanced firmware, you may want to look at method 2.
Caveats
- Per-host tracking on Pi-hole (i.e. logging of DNS requests tied to individual machines by their respective hostnames) will be unavailable unless you use the hosts file on Pi-hole (all requests will show as originating from the router itself).
- The ability to resolve hostnames on the LAN. For example, connecting to a machine behind the router by its hostname will not work.
Setup
Log into your router's configuration page and find the DHCP/DNS settings. Note: make sure you adjust this setting under your LAN settings and not the WAN.
Again, Pi-hole should be the only DNS server set here as Pi-hole already delivers the other upstream servers. If you set another server in your router, it's possible your ad blocking may be negatively affected.
They should have been configured during installation of Pi-hole, but you want to verify you have designated upstream DNS servers. This setting is found in the Web interface (http://pi.hole) > Settings > DNS and define the Upstream DNS entries:
Important: If you have existing network devices on your network when you make this change, you will not see ads getting blocked until the DHCP lease is renewed. You can usually force a renewal by restarting the device.
2. Advertise Pi-hole's IP address via dnsmasq in the router (if supported)
This method is very similar to method 1, but if your router has an advanced firmware (OpenWRT, DD-WRT, Tomato, etc.), you probably have more options available then what you would find on a stock router purchased from the store.
Rationale
If you have this capability, there are a few benefits:
- Per-host tracking on Pi-hole
- The ability to resolve hostnames on the LAN
- Ad blocking/network monitoring provided by Pi-hole
Setup
On the router, use a custom dnsmasq config entry to advertise the IP of the Pi-hole box. Many firmwares have a section in their respective web GUIs listed under DHCP or DNS for this. The screenshot below was taken from DD-WRT and is only meant to be illustrative:
The syntax is: dhcp-option=6,IP_of_Pi-hole. This is simply doing what the method 1 above is obscuring (setting DHCP option 6)
Example: If Pi-hole is running on a machine whose IP address is 192.168.1.250, this becomes:
dhcp-option=6,192.168.1.250
On Pi-hole, login to the web interface (http://pi.hole) > Settings > DNS and instead of choosing upstream servers like Google or OpenDNS, set the upstream to be the IP address of the router as the only upstream DNS server. Do not define any other DNS entries for Pi-hole:
3. Manually configure each device
This option works well in two use cases:
- You only want certain devices to use Pi-hole
- You only want certain devices to not use Pi-hole
Rationale
This method allows for hand-picking which device on the LAN is protected by Pi-hole. Think of it is an opt-in strategy allowing clients/devices the choice to be protected by Pi-hole or not.
Likewise, you can use this method to opt-out of Pi-hole. This assumes you have configured your network to use Pi-hole as their DNS server using one of the two previous methods. By manually setting the DNS server to something other than Pi-hole, you override the DHCP options, and thus what DNS server to use, provided by your router.
Setup
macOS
- Click Apple > System Preferences > Network
- Highlight the connection for which you want to configure DNS
- Click Advanced
- Select the DNS tab
- Click + to replace any listed addresses with, or add, your Pi's IP addresses at the top of the list:
- Click Apply > OK
- Repeat the procedure for additional network connections you want to change.
Windows
DNS settings are specified in the TCP/IP Properties window for the selected network connection.
- Go to the Control Panel
- Click Network and Internet > Network and Sharing Center > Change adapter settings
- Select the connection for which you want to configure
- Right-click Local Area Connection > Properties
- Select the Networking tab
- Select Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6)
- Click Properties
- Click Advanced
- Select the DNS tab
- Click OK
- Select Use the following DNS server addresses
- Replace those addresses with the IP addresses of your Pi
- Restart the connection you selected in step 3
- Repeat the procedure for additional network connections you want to change.
Linux
In most modern Linux distributions, DNS settings are configured through Network Manager.
- Click System > Preferences > Network Connections
- Select the connection for which you want to configure
- Click Edit
- Select the IPv4 Settings or IPv6 Settings tab
- If the selected method is Automatic (DHCP), open the dropdown and select Automatic (DHCP) addresses only instead. If the method is set to something else, do not change it.
- In the DNS servers field, enter your Pi's IP addresses
- Click Apply to save the change
- Repeat the procedure for additional network connections you want to change.
- If your distribution doesn't use Network Manager, your DNS settings are specified in
/etc/resolv.conf.